New Virus Unleashed To Attack Verisign!

[RJ]

Breaking news...

By Andrew Colley, ZDNet Australia
02 October 2003


Sophos' anti-virus team has confirmed that it is in the preliminary stages of analysing a new Trojan that may be linked to an organised attack on VeriSign's domain name servers.

Paul Ducklin, head of technology, Sophos Asia-Pacific, said the Trojan, dubbed Qhost1, seduces the user to go to a Web site that exploits a security vulnerability in Internet Explorer and inserts malicious code onto the victim's personal computer.

Sophos's revelation coincides with unconfirmed reports from a source within the technical ranks of one Australia's major ISPs of a spike in support calls from customers whose DNS server settings had been tampered with, in what appears to be an orchestrated attack on Internet security giant VeriSign.

"It's changing the IP address of the DNS servers from ours [domain name] across to VeriSign's to launch a DoS attack on them," said the source.

The source told ZDNet Australia that the activity appeared to be promoted by a virus or Trojan-like entity targeting Windows 2000 and Windows XP systems.

Ducklin said was unable to confirm that the new Trojan was implicated in the activity described by the source but confirmed it appeared that Qhost1 was designed to alter the DNS setting of its victim PCs.

"This particular trojan messes up your DNS so in theory it could be targeted against anyone," said Ducklin

"What I can say is that in the light of what [ZDNet Australia] has told us, it has made us interested in looking at this particular sample so that we can match it up if further samples come in and if appropriate there will be further notifications on our Web site," he said.

Sophos expected to have a new definition file posted to its Web site within the hour.

http://www.zdnet.com.au/newstech/security/story/0,2000048600,20279284,00.htm

 

[Matt]

Interesting Stuff RJ.

Although it is changing things on the USers PC and causing DOS attacks, they are against verisign, so not a totally malicious Trojan

 

[RJ]

More details. Virus creator a Rackshack user?

According to NAI, the Trojan configures the Windows registry and the "hosts" file used in DNS resolution, to redirect web browsers to a site evidently controlled by the attacker whenever they try to access certain web search engines.

TruSecure's Cooper added that the Trojan also sets up infected machines to get all their DNS services from these EV1 servers. This can cause some applications that rely on local DNS to stop functioning properly.

The infection mechanism for QHosts was not totally clear as of press time yesterday. Cooper said it was being delivered by a banner ad displayed at FortuneCity.com, but that the ad and the malicious code was hosted at ev1.net.

FortuneCity.com could not be reached for comment as of press time yesterday. Texas-based web host Everyone's Internet Inc, the owner of the ev1.net domain, said that it had located a user account that was the source of the problem and terminated it.

http://www.cbronline.com/latestnews/a7aa802c3a25406d80256db30018c17b

 

[SlashRoot.Com]

Messing up users' host files to remap some of the common FQDN/URLs to a (possibly) hostile host/IP-address, or for redirecting traffic, etc., is an old trick.

Looks like this is a "new" use of an 'old" exploit.

 

[DotComster]

One thing - if this virus works - each and every a dot com an dot net site will crash.

It took such a attack for the idiots to finally put up a spare location elsewhere for thier DB and servers - took them over 10 years to stop finding excuses to delay that lil thing - took a major attack - and a few more attakcs might bring them up to speed.

It's easier to hack them than to get them to listen - makes me wana learn HTML - J/K

 

[FruitFish]

How funny...

 

[Interaction Zone]

virus?

 

[Fusionhost]

lmao

 

[Elefekt]

wow very interesting. i dont think this is a good sign. it will be www war I where if you arent as dense as me (world wide web war one like world war one)